Need to block UDP Port 10006 on Cisco Cat 2950

Unanswered Question
Leo Laohoo Thu, 05/20/2010 - 08:26
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

A Cisco c2950 is a layer 2 switch.  A layer 2 switch would not know what an IP address is.

Federico Coto F... Thu, 05/20/2010 - 08:34
User Badges:
  • Green, 3000 points or more

As leo said... a layer 2 switch with know what an IP address is but only for management purposes

(to access the switch itself).


The layer 2 switch will not care about the IPs in terms of passing traffic because is not aware of routing.


Federico.

Jon Marshall Thu, 05/20/2010 - 08:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo / Federico


I could be wrong but as far as i know a L2 switch can filter on IP address. Have a look at the configuration guide i sent. A L2 switch does not have to be able to route to recognise IP addresses. Think of the fact that most L2 switches can recognise DSCP values which again are a L3 marking in the IP header.


Jon

Federico Coto F... Thu, 05/20/2010 - 09:01
User Badges:
  • Green, 3000 points or more

Jon,

You're right! I've fortgotten completely about this.

You can configure ACLs based on L2, L3 or even L4 information on a L2 port on a L2 switch.


Definitely can give that a try.

If there's a layer 3 device I would do it there, if not can implement the ACLs on the L2 ports.


Federico.

Leo Laohoo Thu, 05/20/2010 - 16:26
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Lousy time to quit Red Bulls before bed.  Me baaaaaaaaaaaaaaaaaaaaaaaad.

Jon Marshall Thu, 05/20/2010 - 08:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


Using acl's applied to the interfaces would work. Click on this link and then select the first link in the search results and scroll down to the section on Network Security acls (Chapter 28)  -


2950/2955 configuration guides


Jon

Jon,

this looks like it might well be the answer. now I just need to work out what the syntax is.  the devices will be 172.20.23.100 & 172.20.23.105 and the UDP port is port 10006. I'd be happy to block all of this UDP traffic on the whole switch or just on the 2 ports in question whichever is most straightforward.


Tom

Jon Marshall Fri, 05/21/2010 - 07:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Jon,

this looks like it might well be the answer. now I just need to work out what the syntax is.  the devices will be 172.20.23.100 & 172.20.23.105 and the UDP port is port 10006. I'd be happy to block all of this UDP traffic on the whole switch or just on the 2 ports in question whichever is most straightforward.


Tom


Tom


Try this -



access-list 101 deny udp host 172.20.23.100 host 172.20.23.105 eq 10006

access-list 101 permit ip any any


access-list 102 deny udp host 172.20.23.105 host 172.20.23.100 eq 10006

access-list 102 permit ip any any


int gi0/1      <---- connected to 172.20.23.100, obviously you need to modify depending on which port the host is connected to

ip access-group 101 in


int gi0/2     <----- connected to 172.23.20.105 with same proviso as above

ip access-group 102 in


Jon

ok switch has arrived and I'm struggling a bit, I can only assign an IP address to either VLAN1 or one of the FastEthernet interfaces (not both), I believe that I need to have an IP address assigned to the interface in order to assign ACLs to that interface. This is evident when I try the IP ACCESS-GROUP command on an interface with no ip address the command is not available.


SO I created 2 ACLs:


access-list 101 deny udp any any eq 10006


access-list 101 deny tcp any any eq 10006

access-list 101 permit ip any any


access-list 102 deny udp any any eq 10006


access-list 102 deny tcp any any eq 10006

access-list 102 permit ip any any


and I have tried to add the IP ACCESS-GROUP to Vlan 1 (as all the interfaces are in VLAN1).
int vlan1
ip access-group 101 in
ip access-group 102 out
I'm sure I'm missing something really obvious but its not working, the broadcast traffic is still going between ports 1 & 2
Help ?
Tom


Message was edited by: Tom Last

Actions

This Discussion